Блог KernelCare

If anyone tells you that they know how to secure linux, but they fail to mention live patching – don’t listen to them. Keeping servers automatically up to date is key to keeping them safe. In the complex security question of how to secure Linux, patching live, in real-time, is the missing link.

Linux is a very stable OS, but it also has a very complicated kernel. The master branch of the Linux kernel git repository contains more than 20,000,000 lines of human-written code! With this much complexity comes vulnerabilities, some of them very threatening.

How to Secure Linux

To counter such vulnerabilities, Linux vendors are constantly providing partial patch updates for the kernel. It’s a constant whack-a-mole of Linux security. If you’re wondering how to secure Linux, this is a big part of the answer: always apply your patches, as quickly as possible!

However, right now, many organisations patch by rebooting their servers. Because rebooting is a major hassle, involving downtime and potential errors, people (understandably) delay for as long as they can, waiting until the patch releases have piled up to the point where they can’t be ignored anymore. But this is a bad, bad idea. Yes, most kernel vulnerabilities with the potential to trigger serious hacks are rare. You might have only a couple every year. But here’s the thing: when they come, they are ruinous. And every day that a vulnerability is discovered but not patched is another day when you are at risk.

So: how to secure Linux with smarter patching? Quit with the rebooting. Reboot-centred kernel Instead, you need live kernel patching.

Live Kernel Patching

At KernelCare, our kernel team monitors security mailing lists. When a new patch is available for the active kernel, the agent downloads it and applies it to the running kernel, right away. With this system, kernel updates are applied as quickly as possible, protecting you from bad actors, and keeping you compliant. This happens without a moment of kernel downtime or any disruption of its operation. There is no need to reboot, no service interruptions or packet drops, and no need to kill any processes or user sessions.

There is a lot of discussion about how to secure Linux, but this one is a no-brainer. Rebootless kernel patching is like insurance: if you’re lucky, you’ll never find yourself in a bad situation. But if you do, you’ll be damn glad that you have it. And like insurance, rebootless kernel patching is not a nice-to-have; it is an absolute necessity for anyone who wants to stay safe.

To get the full lowdown on why rebooting your servers is making you insecure and noncompliant – and why it’s a matter of time until you discover this the hard way – read our full whitepaper here.

You've just installed a kernel update, and now you need to carry out a Linux reboot. Except guess what? You don’t. Word is only just starting to get out, but times have changed, and rebooting is a thing of the past. This is a very positive development: because rebooting to patch is a hassle, companies frequently delay it for as long as they can – with damaging consequences.

Read More

Linux kernel updates are a fact of life–as dull as taxes and only slightly less inconvenient than death. Newly discovered security vulnerabilities in the Linux kernel seem to appear with monotonous regularity. In most but not all cases, the patches needed to fix them follow swiftly after. There is work involved in installing the latest Linux kernel security patches, and danger if you delay–leave it too long and threat actors might take advantage of the period of vulnerability.

Read More

1. About the Zombieload/MDS Vulnerability
2. Patch Release Schedule

About the Zombieload/MDS Vulnerability

Vulnerabilities are becoming like celebrities, with freaky names and their own websites.

The latest ones to hit the scene are Zombieload, RIDL and Fallout, also known as Microarchitectural Data Sampling, (MDS for short), discovered by Intel and researched by academic departments at security-focused institutions around the world. These vulnerabilities are in the same vein as Spectre and Meltdown, being design flaws that reveal data. Zombieload is particularly worrying because it affects all Intel Core and Xeon CPUs manufactured since 2011.

Read More

Organizations use cloud services like AWS to be more agile and more profitable. This doesn’t stop them spending millions of dollars on cybersecurity, investing in network defense and end-point protection, hiring consultants, and purchasing threat intelligence reports.

But companies still get hacked, and still suffer data breaches and server compromises, often traceable to out-of-date software, either at the application level, or in the OS itself.

Read More